Aamer M
asked on
PKI Issue: Unable to check revocation
We have a Microsoft PKI hierarchy with one offline standalone Root CA. We alos have an enterprise Subordinate issuing CA. recently we started getting errors as below when we are requesting new certificates.
Error: An error occurred while enrolling for a certificate. A certificate request could not be created.
Error: The revocation function was u nable to check revocation because the revocation server was offline. 0x80092012 )-2146885613 Crypt_E_REVOCATION_OFFLINE
The CRL for the root CA are published in the AD and also in a URL on the CA server.
The CRL of the subCA will automaticattly be published in the AD as I understand.
Could the ROOT CA CRL be the ISSUE. I want to be sure as it’s a big process of approvals to start the ROOT CA and get a new CRL.
I want to be sure that its not a local issue in my site before I contact the HQ ROOT CA admin to request the new Root server CRL’s.
Any help appreciated
Error: An error occurred while enrolling for a certificate. A certificate request could not be created.
Error: The revocation function was u nable to check revocation because the revocation server was offline. 0x80092012 )-2146885613 Crypt_E_REVOCATION_OFFLINE
The CRL for the root CA are published in the AD and also in a URL on the CA server.
The CRL of the subCA will automaticattly be published in the AD as I understand.
Could the ROOT CA CRL be the ISSUE. I want to be sure as it’s a big process of approvals to start the ROOT CA and get a new CRL.
I want to be sure that its not a local issue in my site before I contact the HQ ROOT CA admin to request the new Root server CRL’s.
Any help appreciated
ASKER
In the pkiview here is the output.
Certificate Authority Container: Certificate is OK
AIA Container: Two Certificates are OK
CDP Container: Delta CRL Expired, base CRL are OK
Enrollment services container : has an error in the certificate
Certificate Authority Container: Certificate is OK
AIA Container: Two Certificates are OK
CDP Container: Delta CRL Expired, base CRL are OK
Enrollment services container : has an error in the certificate
try to publish delta CRL --- is it expired on root CA or SubOrdinate?
(and just to mention - you would never (!) need a deltaCRL for root CA)
(and just to mention - you would never (!) need a deltaCRL for root CA)
ASKER
it was showing expired last time I saw that. now it has a status of OK. but still I have the error when requesting the certificate
what CRL's do you have configured - AD, file shares, http?
is your Root CA marked as offline
if you take a certificate that you have already issued can you verify that its still valid?
certutil -URL [URL[] bring up the UI for revocation checks and make it easy to see what might be wrong (swap [ULR[] for your HTTP CDP and then select an already issued certificate)
is your Root CA marked as offline
if you take a certificate that you have already issued can you verify that its still valid?
certutil -URL [URL[] bring up the UI for revocation checks and make it easy to see what might be wrong (swap [ULR[] for your HTTP CDP and then select an already issued certificate)
ASKER
We publish our CRL in AD an a URL configured on the PKI Server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
pkiview.msc and let me know the status